3 Replies Latest reply on Sep 13, 2004 10:56 AM by Scott Stark

    How to use JAAS_HOWTO Filter example with Secure Servlet?

    Lea Thurman Newbie

      Hi All,

      I am attempting to secure both my EJB and web content.

      I have implemented a login servlet and login filter as per the instructions in jaas_howto and this is all working as expected with the principal being propagated through to the EJB layer. Heavy going but an excellent document.

      However what surprised me was that when I secured some web content using BASIC HTTP authentication I was still asked for the username and password even after logging on.

      Reading the howto document I was under the impression that the filter using the ClientLoginModule would transfer these details so they would be visible to the web layer.

      The jass_howto example does not really exercise this case i,e logging on and then accessing a secured servlet.

      In my application now the user successfully logs on and then keeps getting asked for a username and password every time they request secure content

      I have read some alternative solutions, one being to code another filter to reject all access to anything other than the login however I would sooner use the declarative approach since then I can control based on role and I will need to use the role in this layer. (I bet isInRole will not work also)

      Am i doing something wrong or is this the expected behaviour? If its the latter how is everyone else achieving this using declarative security?

      Any help would be much appreciated.

      Lea.

        • 1. Re: How to use JAAS_HOWTO Filter example with Secure Servlet
          Scott Stark Master

          That is the expected behavior since the JAAS login is only setting up the security context for subsequent ejb invocations. It does not change or establish the web container security context. That could be done using a custom integration with a tomcat valve, but this would be non-trival, and in general not possible as the security settings for the war may require an SSL connection with CLIENT-CERT mutual authentication. You either have to use your own security layer via filters, delegate to the container using the standard web.xml security model, or do deep customization of tomcat to do what you want.

          • 2. Re: How to use JAAS_HOWTO Filter example with Secure Servlet
            Lea Thurman Newbie

            thanks for that Scott, I was hoping that wouldnt be the conclusion.

            A collegue of mine suggested another solution:

            "Use declarative security in the web tier (FORM) and once logged in the principal details are available in the EJB tier"

            Aparantly it was not with JBoss but the container login called JAAS
            automatically.

            It sounds like the ideal solution but I guess it depends on the container implementation.

            I am gonna try it tonight but is there any reason why if I did a FORM authentication it would be propagated to the EJB.

            Lea.

            • 3. Re: How to use JAAS_HOWTO Filter example with Secure Servlet
              Scott Stark Master

              If you can use declarative security in the web tier you should as the integration with ejb tier is automatic.